RAMPcon 2025: Redefining FedRAMP for the Future

Day 2 was capped off with a keynote by Pete Waterman, FedRAMP Program Management Office (PMO) Director. Attendees flooded in to listen intently to Pete’s words hoping for clarity on what is happening with FedRAMP 20X and to learn what they should do next.

The very clear message from Pete was, FedRAMP as we knew it is dead and gone and PMO desperately needs the cloud industry to help redefine what the new FedRAMP 20X should look like. The FedRAMP PMO team and budget were drastically reduced as part of DOGE cuts, and they do not have the resources to do this on their own. To fulfill their mission, they need cloud services to participate in the working groups established on GitHub and to volunteer to participate in the pilots as they roll out if they qualify.

I love the new transparency coming from FedRAMP PMO; it is refreshing. I also love the idea of making FedRAMP easier for Cloud Service Providers (CSPs) and automating as much as we feasibly can. We all can agree the old FedRAMP was inefficient. The cost of achieving it is high and there were bottlenecks caused by unnecessary PMO reviews of FedRAMP packages and lack of resources and budget within agencies to dedicate towards “sponsoring” a CSP so their service could be listed on the FedRAMP marketplace.

To Pete’s credit, he has fixed one of the largest and most costly barriers to entry, the PMO review. Most of the commentary coming from the PMO was usually documentation related and not about technical control implementation or anything that would create unacceptable risk to an agency. CSPs often sat in the review queue for close to a year, having to pay for an environment without being able to onboard a single client, waiting to be told their data flow diagram didn’t jive with their boundary diagram in their System Security Plan. Bravo to Pete for recognizing this problem and eliminating this review that was redundant with the validation conducted by the third-party assessment organizations (3PAOs).

Unfortunately, the second largest barrier to entry, the lack of resources and budget within agencies to “sponsor” a CSP is still here. FedRAMP PMO maintains that the solution to this is to make it easier for agencies to determine risk by changing how we present the risk to the agency. Traditionally a CSP would present a Plan of Action & Milestones (POA&M) document to show their agency sponsor the residual risk as determined by a point in time 3PAO assessment and monthly vulnerability scanning. PMO now wants CSPs to figure out how to automate their continuous monitoring and provide a dashboard that shows real time risk.

Will this actually solve this problem? Aren’t we just giving the agency something new they have to review on an ongoing basis? Except instead of logging into a single document repository to review a simple document that is consistent across all cloud services they leverage, they now will have to have a login to whatever mechanism the CSP uses to create and present a dashboard that may look different depending on which CSP created it and they will still have to have technical staff who have the capability to consume and interpret the data. Imagine the agencies who leverage 20 or more cloud services in their ecosystem having to maintain logins to 20+ different “portals” to review dashboards that are all presented in different ways. That sounds like a lot more work to me.

One idea I love from PMO is defining Key Security Indicators (KSIs). I view KSIs similar to the federal mandates that have traditionally been required for a CSP to pass Go. I would love to see each agency define their deal breakers. The controls that must be implemented, the number of days a finding can go unmitigated, no high findings allowed, and whatever other criteria they use to determine whether a CSP is meeting the minimum risk thresholds they have decided is acceptable given the sensitivity of the data being processed, stored, or transmitted by a cloud service. If that was documented, no monthly POA&M or dashboard reviews would be necessary. A 3PAO could validate that a CSP is meeting the defined criteria and could alert the agency if the CSP fell out of compliance.

This brings me to the third largest barrier to entry for CSPs who want to provide their offering to the federal marketplace: the cost of achieving FedRAMP. PMO’s answer to this is lowering the security requirements to the point where a CSP does not have to build a separate environment for their government customers.

I have a love/hate relationship with this idea. I love the idea of eliminating or modifying the elements of FedRAMP that make innovating difficult for CSPs. The changes PMO is proposing around the significant change process is a step in the right direction to achieve this goal and I hope it enables CSPs to have the same feature releases for both their private and public sector clients.

I hate the idea of lowering the security requirements for CSPs. There are breaches of SOC 2 and ISO compliant service providers every single day, but I haven’t heard of a FedRAMP compliant service being breached yet, have you? Also, we have to remember that PMO is just setting the minimum requirements for FedRAMP, by no means does that mean all agencies will be ok with this lower bar. There is a reason FedRAMP Tailored was a bust and FedRAMP Low cloud services have not been widely adopted by agencies. They want the higher bar to be met. They want assurance that their data is going to be safe.

Unfortunately, security isn’t cheap. It reminds me of owning a house. It is fun to spend money on new furniture or renovating and updating the kitchen or the bathroom. Replacing the windows or the HVAC unit is not a fun purchase, but necessary if you don’t want to freeze in the winter or roast in the summer. Security isn’t fun and it isn’t as cool as investing in new features for your cloud service, but it is necessary if you want to keep your customer’s data safe and it is the cost of doing business and building and maintaining customer trust.

It is going to take a minute for agencies to rebuild and figure out their new rhythm after experiencing a significant reduction in operating costs, but when the dust settles, adopting technology to help them achieve their mission is going to be a top priority. CSPs have a huge opportunity in the federal market. Being a first mover has significant advantages and waiting around to see if the FedRAMP 20X experiment is a failure or a success could mean missing out.

If CSPs and 3PAOs have the resources to support FedRAMP PMO in figuring out how to modernize our approach to compliance without sacrificing security, I highly encourage them to participate so they can help define the new FedRAMP. We at Coalfire are doing everything we can to support the vision by participating in the working groups and pilots ourselves. But we have to remember why PMO is driving for change in the first place…to make it easier for agencies to safely adopt cloud technology. If we don’t include agencies in this conversation and get their buy in on the changes proposed now and, in the future, it could all end up being a big waste of time.